Microsoft Intune, SysCtr, OpsMgr, ConfigMgr

Primary Menu

Page 2 of 6

It has been a long time that I have worked with Windows Intune. The most recently blog was about Windows Intune this year in January. I had a day off today. That means for me, it’s time for Intune! I was curious about Direct Management, Deploying Windows Apps to a Windows Device and how to register an Android mobile device via Company Portal. So, I begun with Windows Device enrollment, Windows App deploying and Direct Management.

First you have to know about sideloading and deploying Windows App to different versions of Windows 8.1. There are different ways to deploy or install a Windows app. You can use the Windows Store or, you can use a deployment tool like; ConfigMgr, MDT or Windows Intune. Apps which are available in the Windows App Store are automatically signed and validated as trusted by Microsoft and can be deployed by Windows Intune directly out the Windows Store to the devices. When you have to distribute a business-line(LOB) app directly to a user without using the Windows Store, you have to sideload the app. Sideloading means bypass the validation and signing requirements of the Windows Store and makes you responsible for validating and singing them. You cannot sideload an app that has been downloaded from the Windows Store. Due the corporate policy it’s duly that the company doesn’t want to make there LOB apps available in the Windows Store. For them is sideloading the only option to deploy Windows Store apps. Also, they will be responsible for app updates to users. For sideloading you have to use sideload keys. They are available at Microsoft Volume Licensing. More information about sideloading, check this url: http://technet.microsoft.com/en-us/library/dn613831.aspx

Which versions must be sideloading the apps?

NOTE: Unfortunately, I can’t test sideloading. I don’t have the keys for sideloading. Because of that, I could test only a Windows 8.1 Enterprise Update 1 domain joined.

UPDATE: Microsoft has changed its Sideloading process for all Windows 8.1 devices. For Windows Phone 8.1 you can download the .XAP from the Windows Store and put it on your external disk of your mobile device. From the external memory/disk you can install the app. This is also available(via PowerShell, SCCM or Windows Intune) if your Windows 8.1 Pro and Enterprise are domain joined. For devices which are not domain joined (like Windows RT) you have to use Sideloading activation keys. Obtain a Sideloading activation key, see the this site Windows 8 Volume Licensing Guide. Read more about this process at Technet: http://technet.microsoft.com/en-us/library/dn613831.aspx How to use Sideloading Product Activation Key, see this website: http://technet.microsoft.com/en-us/library/dn613835.aspx

Let’s begin with a group policy. We have to enable Allow all trusted app to install in Computer Configuration -> Administrative Templates -> Windows Components -> App Package Deployment or you can change this registry HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1.

Go to the AppPackages directory, where you got the appx (app file) and select the *.cer.

Verify the imported certificate.

It’s time to deploy the app to a Windows Device.

Download the Company portal from the Windows Store.

The device is ready. You can install your test app from the Company Portal.

That’s all folks. You have a device that is being direct managed by Windows Intune and it is ready to deploy Windows Store apps. If you have any questions or comments about this configuration or about deploying, don’t hesitate to leave a message!

This blogpost is all about Active Directory Federation Services (ADFS) and DirSync. To activate Single Sign On in Microsoft Azure, an on-premise ADFS in combination with DirSync are required. DirSync is to sync your on-premise Active Directory with the Microsoft Azure Active Directory. ADFS will be used for handling the on-premise log in credentials to activated SSO.

ADFS is also required to register your (mobile) device for management. This feature is available in Windows RT/8 and is called Workplace.

In this blogpost I describe the installation and the configuration of ADFS and DirSync. I’m telling you about Device registration and how to prepare the ADFS for Windows Intune.

You will need for this blog one server based on Windows Server 2012 R2 Update 1.

NOTE: This ADFS environment is only accessible inside the network. If you want to use this outside your internal network, you have to change the FQDN into your public domain name while making a new certificate. Don’t forget to add the necessary DNS records and configure the firewall(s).

Good luck!

Create a group Managed Service Account (GMSA) . Run this on the domain controller.

Set-MsolAdfscontext -Computer <AD FS primary server> if you run this on the primary ADFS server, you don’t need to run this command.

New-MsolFederatedDomain –DomainName <domain> or

Convert-MsolDomainToFederated –DomainName <domain>

To verify: Get-MsolFederationProperty –DomainName <domain>

Add UPN for DirSync:

Installing DirSync:

DirSync needs Framework 3.5 or 4.0

To check the sync status, you can open Synchronization Service Manager tool located in: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miiclient.exe

And check the Azure admin webconsole: You will see the on-premise users in the webconsole.

The only thing what you have to do is to change the account to your newly created UPN suffix.

Also in the account webconsole you have to edit the synchronized on-premise accounts. You need to give them access to Windows Intune, otherwise they can’t register a device or installing an app from the Company Portal.

Add a record in DNS:

an A record for the hostname (if not exists) <your adfs hostname> to an IP address

a CNAME record for enterpriseregistration:

If your environment has multiple UPN suffixes, you must create multiple CNAME records, one for each of those UPN suffixes in DNS.

Also one for enterpriseenrollment. This one is target to: manage.microsoft.com

Test:

You can test if SSO is working. Go to http://manage.microsoft.com or http://portal.manage.microsoft.com and use your on-premise username with the UPN suffix. The website checks and sees your UPN suffix. Now you will be automatically forwarded to the on-premise ADFS website for log in. After that you will be automatically logged in on Windows Intune. You are in the console right now.

That’s all folks. If you have any questions or comments about this blog, please don’t hesitate to leave a message or send me a mail.

In this blogpost I describe the installation and configuration of Active Directory Certificate Service (ADCS) role. This is based on an Enterprise PKI. Enterprise PKI is an environment with a RootCA and a Subordinate CA. With this configuration the RootCA goes offline for security propose and goes online when issuing a subordinate CA certificate. Just follow the screenshots and you have in no time an Enterprise PKI in place. The servers are based on Windows Server 2012 R2 update 1 and you will need 2 servers (I assume you have the domain controller in place). This environment can be used for ADFS, Microsoft Azure, Windows Server 2012 R2 Workplace or for SCCM/SCOM 2012 R2 client communications.

Note: the RootCA is a standalone CA and the subordinate is an Enterprise CA. The RootCA is not domain joined.

You have configured the ADCS into a RootCA. You have to change some settings for the subordinate CA. In Server Manager go to Tools – Certification Authority (CA). Right click on the your CA server/name and choose for Properties. Open the tab Extensions.

Select Include in the AIA extension of issued certificates. Click on Ok and restart the service.

Now, we have to publish the revocation list.

Export certificate without a private key for the subordinate CA server.

MMC and add the certificate snapin for local computer. Create also a share for the content. This will be used for later if we are configuring the subordinate CA server.

Copy the content of c:\windows\system32\certsrv\certenroll to your shared folder.

RootCA is in place and we go further with the subordinate CA server. This process is the same with different options. So I have only made a screenshots of the different choices, especially for the subordinate CA.

Installing:

Add all features

Add all features

Configure:

Now we have to install the certificate into the subordinate CA server. Go to your share and right click on the exported certificate for installing the certificate into the local machine’s trusted root CA.

Copy the request file on the root of C: to your shared folder.

Go to your root CA and submit a new request.

We have to issue the new request.

We need to export the certificate into a p7b.

Open the exported file to verify it.

Go back to the subordinate CA server and stop the CA service.

After that install the p7b certificate.

Final step before we have the subordinate CA in place.. Open GPO and import the RootCA certificate for distributing at domain level.

Deploying Certificate Templates:

Go to your subordinate CA and right click on Certificate Templates -> Manage

Right click on Web Server and choose Duplicate Template

Open the tab General. Change the name and select Publish certificate in Active Directory

Open the tab Request handling and select Allow private key to be exported:

Edit the security for the computer. If you know the hostname add this name in the security list. The computer does need Read, Enroll and Autoenroll.

Click apply. You see your templates in the list:

The next is to publish the created template for issuing certificates. Go back to your CA console and right click on Certificate Templates -> New -> Certificate Template to Issue

At this time the newly created templates are published. You could test this templates via IIS to request a web server certificate.

All IBM WebSphere application servers that run on Linux or AIX computers are not automatically discovered by the Management Pack for Java Enterprise Edition (JEE) if multiple application servers are defined in a single WebSphere profile.

How you doing, how you been? It’s a long time that I wrote a blog on my blogsite. I have been very busy at work and also at home. With 2 little children it’s a little bit messy at home, haha. But, this will change today. My blogsite has got a higher priority for the few coming months. I have (must) to blog more about Windows Intune en System Center, especially the integration Windows Intune with SCCM 2012 R2 (MDM/UDM feature). Beneath that I’m working on a corporate image for a company where I work with. A blog about this experience, with DaRt and MDT 2013 integrated, will coming soon.

This blog is not really that great, but I have to start with something 😉

Windows Intune update, Q2/Q3 2014

Microsoft has introduce the new update policy for Windows Intune. The old one what Microsoft managed was releasing a big update of Windows Intune once or twice a year, mostly in Q1 or Q4. The new one is splitting up the update into months, to speed up the release of the features.